summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2019-11-08 15:12:23 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2019-11-10 23:22:15 +0100
commit084870f9c0c03d5766d272828254f8d0a7aacf66 (patch)
tree6c95b944b9257d99002600c7a4f1474fafea0cd2
parent77abd02985415fc90db03511b6bcc4479f61f81f (diff)
downloadsystemd-084870f9c0c03d5766d272828254f8d0a7aacf66.tar.gz
core: rename CGROUP_AUTO/STRICT/CLOSED to CGROUP_DEVICE_POLICY_…
The old names were very generic, and when used without context it wasn't at all clear that they are about the devices policy.
-rw-r--r--src/core/bpf-devices.c6
-rw-r--r--src/core/cgroup.c14
-rw-r--r--src/core/cgroup.h11
-rw-r--r--src/core/unit.c6
4 files changed, 18 insertions, 19 deletions
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c
index 693ff124c5..3b8e0ac7f8 100644
--- a/src/core/bpf-devices.c
+++ b/src/core/bpf-devices.c
@@ -132,14 +132,14 @@ int cgroup_init_device_bpf(BPFProgram **ret, CGroupDevicePolicy policy, bool whi
assert(ret);
- if (policy == CGROUP_AUTO && !whitelist)
+ if (policy == CGROUP_DEVICE_POLICY_AUTO && !whitelist)
return 0;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog);
if (r < 0)
return log_error_errno(r, "Loading device control BPF program failed: %m");
- if (policy == CGROUP_CLOSED || whitelist) {
+ if (policy == CGROUP_DEVICE_POLICY_CLOSED || whitelist) {
r = bpf_program_add_instructions(prog, pre_insn, ELEMENTSOF(pre_insn));
if (r < 0)
return log_error_errno(r, "Extending device control BPF program failed: %m");
@@ -160,7 +160,7 @@ int cgroup_apply_device_bpf(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy
return 0;
}
- const bool deny_everything = policy == CGROUP_STRICT && !whitelist;
+ const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !whitelist;
const struct bpf_insn post_insn[] = {
/* return DENY */
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 747543a995..48a320fc9d 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1392,7 +1392,7 @@ static void cgroup_context_apply(
/* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore EINVAL
* here. */
- if (c->device_allow || c->device_policy != CGROUP_AUTO)
+ if (c->device_allow || c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
r = cg_set_attribute("devices", path, "devices.deny", "a");
else
r = cg_set_attribute("devices", path, "devices.allow", "a");
@@ -1401,8 +1401,8 @@ static void cgroup_context_apply(
"Failed to reset devices.allow/devices.deny: %m");
}
- if (c->device_policy == CGROUP_CLOSED ||
- (c->device_policy == CGROUP_AUTO && c->device_allow)) {
+ if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
+ (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
static const char auto_devices[] =
"/dev/null\0" "rwm\0"
"/dev/zero\0" "rwm\0"
@@ -1570,7 +1570,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) {
mask |= CGROUP_MASK_MEMORY;
if (c->device_allow ||
- c->device_policy != CGROUP_AUTO)
+ c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES;
if (c->tasks_accounting ||
@@ -3708,9 +3708,9 @@ int compare_job_priority(const void *a, const void *b) {
}
static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
- [CGROUP_AUTO] = "auto",
- [CGROUP_CLOSED] = "closed",
- [CGROUP_STRICT] = "strict",
+ [CGROUP_DEVICE_POLICY_AUTO] = "auto",
+ [CGROUP_DEVICE_POLICY_CLOSED] = "closed",
+ [CGROUP_DEVICE_POLICY_STRICT] = "strict",
};
int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) {
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index a66c702125..3d4bb4142d 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -18,16 +18,15 @@ typedef struct CGroupBlockIODeviceWeight CGroupBlockIODeviceWeight;
typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth;
typedef enum CGroupDevicePolicy {
-
- /* When devices listed, will allow those, plus built-in ones,
- if none are listed will allow everything. */
- CGROUP_AUTO,
+ /* When devices listed, will allow those, plus built-in ones, if none are listed will allow
+ * everything. */
+ CGROUP_DEVICE_POLICY_AUTO,
/* Everything forbidden, except built-in ones and listed ones. */
- CGROUP_CLOSED,
+ CGROUP_DEVICE_POLICY_CLOSED,
/* Everything forbidden, except for the listed devices */
- CGROUP_STRICT,
+ CGROUP_DEVICE_POLICY_STRICT,
_CGROUP_DEVICE_POLICY_MAX,
_CGROUP_DEVICE_POLICY_INVALID = -1
diff --git a/src/core/unit.c b/src/core/unit.c
index 5f2ca44701..137a110cc2 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4303,11 +4303,11 @@ int unit_patch_contexts(Unit *u) {
if (cc && ec) {
if (ec->private_devices &&
- cc->device_policy == CGROUP_AUTO)
- cc->device_policy = CGROUP_CLOSED;
+ cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
+ cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
if (ec->root_image &&
- (cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
+ (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
/* When RootImage= is specified, the following devices are touched. */
r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");